-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark wrote:
The domain owner will almost certainly never accept responsibility for
the messages sent. We went over that before, and it would be setting
oneself for a huge legal pitfall. And, in fact, the larger ISPs I know
all specifically disavow responsibility for messages sent.
Excuse me for saying this, but this argument is totally bogus. The fact
may be true, but the conclusion is false. In case of legal relevance,
senders will _always_ be held responsible for the content they send. It
has been this way since it is possible to track IP addresses.
There is no anonymity (AKA freedom from responsibility) that could be
destroyed by a strong definition of SPF "Pass".
And I am sure there are hordes of white-hat domain owners who would be very
willing to accept responsibility -- reputation-wise, not in a legal sense
- -- for the messages that authorizedly use their domain.
Domain owners not wanting to do so are free not to assert "Pass".
So why do we not go the rest of the way and admit that "Pass"
must mean that the domain owner trusts the MTA not to allow forgeries
or accepts responsibility (bears reputation, accepts unjustified
bounces) for the "unauthentic" cases otherwise?
Because, the odd case notwithstanding, hardly any SMTP mailer prevents
cross-domain/user forgery at the moment.
For many, this is not necessary, because for the users of many MTAs there
is no incentive to forge the domains of their peers because they belong to
the same domain anyway. hotmail.com, aol.com, and most company MTAs come
to mind.
Only MTAs that host multiple domains owned by unrelated persons or
organizations are problematic. I'm real sorry for them, but these
domains' owners simply should not assert "Pass" for these MTAs.
And when we are dealing with formulating/finalizing a spec, I feel we
really should only stake a claim to what is, to the letter, truthfully
ours to claim. Otherwise, like I said on IRC, we would just be writing
cheques our SPF records can't truly cash.
This argument is not about what individual SPF records can cash, but about
what things domain owners should be able to express.
What is the point of assigning to "Neutral" some obscure, mostly irrelevant
meaning and, by overloading "Pass" with the original meaning of "Neutral",
taking away from domain owners the ability to express through "Pass"
willingness to assume full responsibility for the use of their domains?
On the other hand, the only ones who would be disadvantaged by a strong
definition of "Pass" would be those who would then have a substantial
incentive not to publish "Pass" -- which are exactly the domain owners
whose domains are hosted on shared MTAs w/o cross-user forgery protection.
Is it worth to disadvantage all the other domain owners just so the
"shared MTA" owners can have their (then meaningless) "Pass"?
I want to be able to express that I accept full responsibility, reputation-
wise, for the use of my domain. (Can I have "HardPass", please?)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCoFx0wL7PKlBZWjsRAh1aAJ4rgaSWz5LeM+8HAG3M9Xnf1BrFwQCg9yN/
oiIqWZQZsqZHJUNXGdfZNvY=
=c5YI
-----END PGP SIGNATURE-----